Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

An anonymous reader writes "A federal judge in Vermont has denied a motion to suppress evidence filed by three defendants in a child porn case. The three had alleged their Fourth Amendment rights were violated when police used an automated P2P query-response tool to gather information from their computers. That information subsequently led to their arrest and indictments. The judge held (PDF) that the defendants had either inadvertently, or otherwise, made the information available for public download on a P2P network and therefore couldn't assert any privacy claims over the data."

Especially on a P2P network like Gnutella where you can do search by keywords and then directly view what people have on their computers. It's like hanging a poster in your living room of a child being abused and someone walking by seeing it. They made the materials available for the public to see. I hope more people who are into sick stuff like that make the mistake of having the files publically visible. Especially p2p users since given the nature of p2p they can also be slapped with a distribution charge which will add years to their sentence.

"2) Going down the eugenics and forced sterilization route is a slippery slope straight to hell. Look at what we used to do in the 1930s. It's the stuff of nightmares."

Sorry - I have to disagree.

By that logic, all firearms should be outlawed, because some firearms have been used to commit crimes. A LOT of people will latch onto that, and clamor for stricter gun control - but the logic doesn't stop there. Since some automobiles have been used to commit murder, then all automobiles should be outlawed. Knives have been used to murder, so all knives should be outlawed. Rocks have been used to commit murder, blah blah blah.

Horrible things have been done, in the name of science, and specifically eugenics. Does that necessarily mean that any studies into eugenics is evil? I say, "Not only NO, but HELL NO!"

While I will readily admit that eugenics can be pretty damned scary, it has the POTENTIAL of weeding out a lot of hereditary diseases and conditions. If scientists announced tomorrow that they could screen for cystic fibrosis, with greater than 99% confidence, and abort the fetus early in the first trimester, would you object to that? Or, even better for those who oppose abortion for any reason: Mother could take a prenatal supplement that would guarantee that she couldn't conceive a child subject to cystic fibrosis. She simply rejects any sperm. Yes, I'm pulling this out of my ass, it's entirely from dreamland - but IF it were possible, would you object?

How 'bout if we could prevent elephantiasis, or mongoloids, or any number of deformities and conditions? Would you object to weeding out alcoholism?

Eugenics isn't evil in and of itself. I feel that we have a responsibility to take reasonable actions to make future generations healthier. Or, smarter. Or stronger.

Forced sterilization? If we got so far along that we could screen for all the many conditions that make people's lives so miserable, sterilization wouldn't be a necessity. Instead, Mother can pick and choose traits, simply rejecting any and all number of undesirable traits.

So when AT&T made their iPhone subscriber list "available for public download" that implicitly gave people on the internet permission to access this private information? Oh wait, they sentenced Weev to jail time for that [slashdot.org]. I'm so confused.

And no, I'm not defending child porn users. Well, I guess I sort of am. But not... Darn it, you guys know what I mean.

And no, I'm not defending child porn users. Well, I guess I sort of am. But not... Darn it, you guys know what I mean.

Kiddie porn pirates are not the problem, the problem are all the people involved in the production. If you believe the MAFIAA's rhetoric the pirates are the solution since they are destroying the jobs of all the hard-working people in the kiddie porn industry.

How many kids got abused because pedos had their impulses inflamed by porn? And found a welcoming community of like-minded people to offer support, encouragement and advice? I think you're looking at this wrong.

I think the notion that CP somehow extinguishes a fire in a pedo, preventing harm, is groundless. It goes against common sense and 60+ years of pr0n research. Extraordinary claims require extraordinary proof. my claim is reasonable and rooted in the common human experience. it is prima facae true.

I wonder how many of children are spared of abuse because the pervs had their impulses shunned by porn.

Not many I suspect. All the porn does is stoke the fires of the perversion. It's a kind of addiction, a progressive disease, not unlike alcoholism. Use of the porn leads will lead to an actual victim at some point if the porn user lives long enough and gets the opportunity.

It would potentially mean it could be used as evidence against people without a search warrant. It certainly mean it could be used as evidence against AT&T if it showed evidence of a crime since they were the ones who made the mistake.

I don't think you understand what Auernheimer did. The database wasn't "available for public download" It was exposed due to poor design and poor security. This is directly counter to purpose of P2P software which is to make accessible files and/or information on one's computer.

All approaches for human authentication rely on at least one of the following:

Something you know (eg. a password). This is the most common kind of authentication used for humans. We use passwords every day to access our systems. Unfortunately, something that you know can become something you just forgot. And if you write it down, then other people might find it.

You seem confused on the differences between access and authorization. The question in the AT&T case was about authorization. Was the guy authorized to access the things he did? Clearly he could access the data, but was he authorized to do so? If you have my bank credentials you have access to my account, but you do not have authorization to do anything with the account. Yes, you have the ability to do things, but that is nowhere near the same as being authorized.

I don't see how any reasonable person can determine that a publicly facing web server without any sort of authentication is not free to access. Authentication is how authorization is implemented on the internet. Any other policy will break the internet.

If there was a link off of att.com

How do you know you are authorized to visit att.com in the first place? You submit a query, and see if you get a response. Exactly what weev did.

Weev took advantage of a poorly secured access on their part. That is hardly the same thing as putting something on a peer to peer network. It's akin to saying that just because someone secured their house with screen doors that they were okay with people taking their contents.

Now you can fairly criticize AT&T for poor security, and you can certainly criticize Weev for taking their data and publicizing it, but try to keep the criticism grounded in reality, eh?

And the police here took advantage of poorly secured access on these guys P2P program. The only evidence that these guys intended to share this data is that the data was shared. The same evidence exists for AT&T's data.

If I leave a pie on my window sill to cool, you don't have a right to steal it. That AT&T data sounds like the pie to me.

If I left a pie on a table in front of the house with a sign that said, "free pie for anybody who wants it", and a health inspector came by and cited me for distributing food in an unsafe manner and/or without a permit, that'd be like putting illegal data on a p2p network.

In this case they implied consent of making their information public by using that network, an AT&T customer did not imply consent of their information being made public.

AT&T implied consent of that information being made public by not implementing any sort of authentication. From TFA:

"The evidence overwhelmingly demonstrates that the only information accessed was made publicly available by the IP address or the software it was using," Reiss wrote. "Accordingly, either intentionally or inadvertently, through the use of peer-to-peer file sharing software, Defendants exposed to the public the information they now claim was private."

Could you not say exactly the same thing about AT&T's "private" data? Substitute "peer to peer" with "web server" where appropriate.

IANAL, but there comes a point when every law reduces to some arbitrary judgment call. If I leave a box of donuts open in my closed (but not locked) office, I might expect coworkers not to eat any. On the other hand, leaving the same box of donuts in the break room makes that assumption unreasonable. In both cases, there is absolutely nothing stopping coworkers from getting to the donuts; society has decided that putting the donuts behind a door makes them my property, whereas putting them in the break room

Whoever this AC arguing with you is, they should really consider reading the summary before digging any deeper.

Specifically, the last sentence, where the judge states that intent has nothing to do with the ruling (admittedly fucked up, but it does technically legitimize weez's access of the files AT&T made public-facing).

A public, unauthenticated internet service is a public, unauthenticated internet service.

Weev did not make a standard query to a server and get information. He had scripts that sent millions of possible imei's to the server to get information for that specific user. He was convicted because he use IMEI's that did not belong to him and therefore masqueraded as the owners of those phones to download the information.

Intention seems to be the definitive factor for you, so riddle me this: did the kiddie-diddlers intend to expose incriminating evidence? If not, then this is a discrepancy in the application of the law -- not entirely unexpected, but still worth pointing out.

Intention seems to be the definitive factor for you, so riddle me this: did the kiddie-diddlers intend to expose incriminating evidence? If not, then this is a discrepancy in the application of the law -- not entirely unexpected, but still worth pointing out.

Of course their intent was not to incriminate themselves. But their intent was clearly to share this incriminating content publicly with other like minded kiddie-diddlers. Thus they made it public.

Your argument is like saying an illegal drug dealer that sells drugs to an undercover cop can't have the sold drugs used as evidence against him, because his intent wasn't to incriminate himself, but instead to sell the drugs to proper drug users.

Certainly, there are many high-profile unauthenticated web services which are intended to be free for the public to use. However, this doesn't necessarily mean that all are.

The widely employed social convention is that they are.

Similarly, there are plenty of closed doors which are perfectly fine for the general public to open (doors to stores, public buildings, hotel lobbies, etc.), while there are plenty of doors that are not.

You have to post trespass notices in places that otherwise appear public; like posting notices on the boundaries of your undeveloped property where the property line would not be obvious (especially in a place where you don't construct a physical fence, like the woods) .

You do NOT have to post a trespass notice on your front door, or garage door, or shed door, whether you lock them or not. OTOH a visibly-marked store does not have to post a "non-trespass" notice on *their* door. The contexts in the phy

The judge held (PDF) that the defendants had either inadvertently, or otherwise, made the information available for public download on a P2P network and therefore couldn't assert any privacy claims over the data.

"inadvertently made public" == "did not intend to make public."

Intent has fuck-all to do with the ruling; per the judge, what these pervs did and what AT&T did are exactly the same thing.

Could you not say exactly the same thing about AT&T's "private" data? Substitute "peer to peer" with "web server" where appropriate.

Actually, probably not. There was an access control on the data in the weev case, as I understand it, it was just a brain-dead stupid one: your user agent. Basically, you could only pull the email addresses from the AT&T web server if you were using an iPad.

Which leads me to why I expect the two are legally different: when you put something up on a P2P service, they become searchable and not just accessible. Half of the point behind a P2P service is make it possible to find interesting files, the other

Are you saying that the pervs (I agree with the term if they are really users of C.P., which I don't know) were offering use of their p2p sharing resources for all purposes, including for law enforcement access? Because the way hacking laws are applied, the judge pays attention to the intent of the "maker-available" and not just to the question of whether it was published on the internet.

AT&T made their list available, the pervs made their media available. AT&T didn't want Weev to access (other p

False analogy. This case is not controlled by copyright law. This is a fourth amendment case. Those two bodies of law have almost nothing to do with each other substantively (yes, there may be fourth amendment implications to how police investigate copyrights, but that's separate from the substance of copyright law). The question here is whether the defendants had a reasonable expectation of privacy in the data, not what they subjectively hoped people would do with it. If you grow weed in an open field, with a sign that says, "Cops don't look!" it doesn't matter that you subjectively intended to exclude police from seeing what was in the field. Your expectation of privacy, if you had any, was not reasonable.

No, they are not. Don't be stupid. Weev was convicted of identity fraud - he was lying about who he was to get access to data he was not authorized to access. The police are not engaged in identity fraud - they are allowed to use different identities.

If you run a service on the internet, you have no expectation of privacy of the data you serve. That sounds reasonable enough. But why then was weev [wired.com] imprisoned for downloading data from a publically facing web server?

If weev can be imprisoned for computer hacking by using a publicly facing server in ways not intended by the owner, why aren't the police here facing similar charges?

But the court's decision doesn't argue that. It argues that intention is irrelevant, and there is no privacy expectation in this case even if the files were accidentally or otherwise unintentionally made available.

Because that WAS the intention of the owner: to share their data with random, unknown 3rd parties. That's pretty much the entire purpose of P2P networks.

According to the summary, intent is non sequitur:

The judge held that the defendants had either inadvertently, or otherwise, made the information available for public download on a P2P network and therefore couldn't assert any privacy claims over the data.

Well, if you share something on a P2P network, you intend for people to download it.If you accidentally reveal a list of other people's sensitive information (because you're bad at the web), you arguably didn't intend to make that data publicly available.

Not meaning to side against weev or anything here, just pointing out a meaningful difference between the two.

You have to be pretty darn "bad at the web" to put stuff on a web server unintentionally. I doubt the guy in this article had any more intent to reveal what he was downloading and who he was than AT&T had to publish that customer list. He did publicly because he did not fully understand the nature of how the application worked, just like AT&T apparently did not understand how.htaccess, or or whatever the problem was worked.

Probably because weev's lawyers didn't do a good job arguing that by putting content on a public web server, AT&T was publishing it for all to see.

Analogies like printing free newspapers with this information at the bottom of page 36 and placing them in those hoppers on street corners could have been drawn; it's unlikely that very many people will get to page 36 and read the bottom, as that's usually buried among all of the crap advertising spots, but that information was made available in publis

There is a distinction between this and the situation in weev. It doesn't seem like a big distinction to people who are even vaguely familiar with URLs but to many legal professionals, a large percentage of whom are technically incompetent (the number of law offices I've seen running open access points or WEP encrypted wireless networks in my office building is pretty astounding). This isn't true for all in the legal community, and I'm sure it is getting less common as time goes by, but there are still a

That is not the distinction you are looking for. The distinction is that AT&T was not accused of committing a crime and these guys have been. It might seem related until you understand something about the legal system: there are different rules for different things.

In the case of Weev, he accessed data without authority. (No, I haven't reviewed the case to see exactly what the charges were, but it was something along those lines). Weev was then accused of having broken a law (pertaining to unauthorized

If you run a service on the internet, you have no expectation of privacy of the data you serve. That sounds reasonable enough. But why then was weev [wired.com] imprisoned for downloading data from a publically facing web server?

If weev can be imprisoned for computer hacking by using a publicly facing server in ways not intended by the owner, why aren't the police here facing similar charges?

Your argument is total rubbish. The "expectation of privacy" or lack thereof means that "weev" whoever that is probably was allowed to tell the world that a company is careless with customers' data. That doesn't give him any right to the actual data. It's private information. He can't get the right to download information belonging to X, Y, Z and over hundred thousand other people just because someone who is neither X, Y, Z or any of those other people makes a mistake.

If one has gone through the trouble to contract with a PKI provider for an ssl certificate, and taken other reasonable precautionary measures, I would think that the secured traffic provides a reasonable expectation of privacy, by a legal definition, even if technically, that privacy is not bulletproof. If you're sending plaintext over the wire, then, of course, you should know you could be listened to. But not secured traffic.

Because he brute force hacked the IMEI's and downloaded information for specific users. He was convicted because he used IMEI's that did not belong to him and therefore masqueraded as the phone owner to gain the information.

In this case the police used standard P2P queries to get the information. It is not hacking when one does not fraudulently misidentify one's self.

The ruling is on, "made the information available for public download on a P2P network" there are plenty of private p2p services. If you make your information available to everyone then of course the police don't need to go through red tape to get that information. Non-story

In other news, the Police also do not need a warrant to attend your public meeting. They don't need a warrant to read the book you published on the rack of the local bookstore. They don't need a warrant to browse around your open store in the local strip mall.

And they don't need a warrant to download data you offered up to any member of the public and browse through it to find incriminating evidence.

*Disclaimer* I did not read the article. (Anyone surprised)By claiming that their 4th amendment rights were violated, they basically just pled guilty. The proper defense is "ZOMG some sicko hacked my WiFi!"

*Disclaimer* I did not read the article. (Anyone surprised)
By claiming that their 4th amendment rights were violated, they basically just pled guilty. The proper defense is "ZOMG some sicko hacked my WiFi!"

Not at all. There are plenty of circumstances where a 4th Amendment challenge may exist in addition to other legal and factual defenses. For example, let's say you are driving a convertible and get pulled over by the police for no good reason, and they proceed to search your car without probable cause and find a baggie of drugs in the back seat. You have two 4th Amendment challenges here - both to the stop, and also to the search. You also have a defense that the baggie in the back seat of a convertible

This is correct. The first stage of any criminal prosecution after arraignment is decisions on motions to exclude different type evidence that the prosecutor is required to disclose that they intent to use at trial. This could be 1) physical evidence, like the smoking gun, 2) statements such as interviews with the police or other admissions 3) or electronic evidence such as this.

So if one allows access to P2P indexers, those people cannot retroactively claim their privacy was violated. Reasonable enough. However, if Google records unencrypted WiFi broadcasts over public spectrum they are guilty of wiretapping? It seems like there's a double standard being applied by the courts.

Yeah, I don't see what the issue is. They were sharing these files, or left them in folders their P2P software would automatically share.

The article shows the police went ot of their way to deliberately not download the files, presumably for 4th Amendment search reasons, though why even that would be a problem I don't know. They were deliberately and knowingly sharing those files.

I imagine they were trying to say that as Disney is the copyright holder and was doing the distributing then users are getting the files legitimately. While I agree in principle I don't know that it really follows from the ruling.

Child porn is very handy for setting a precedent, because judge and jury alike will usually so loathe the victim they'll do anything to see a strict sentence happen. If you've a defendant you can prove had child porn, you could probably charge them with regicide and conspiracy to blow up Pluto - and still have a chance of a conviction.

The Internet is peer-to-peer, apart from recent end-to-end compromises such as carrier-grade NAT. But as I understand the Computerworld article, it refers specifically to file search and sharing applications run on top of the peer-to-peer Internet.

The National Juvenile Online Victimization Study in 2005 [missingkids.com] found that 100% of CP possessors whose cases were not dismissed or dropped were convicted, and 86% to 90% of the cases were guilty pleas (presumably with plea bargains.) Once you are accused of CP possession, you will almost always be convicted regardless of the facts and circumstances. If you fight it, you will be given many times the punishment of the plea bargain you turned down.

It depends. From a technical standpoint, it's only reasonable to create MD5 collisions, and even then, it requires engineering both files. So, in many contexts, even MD5 collisions can be considered non-issues. A lot of P2P systems use SHA1 or SHA2, which alleviate even that problem.

Realistically, most jurisdictions don't actually trust that as evidence. A defense lawyer will ask exactly what you're asking, and then you'll be forced into the situation of explaining shadowy technical magic, which juries neve

From TFA, it stated that the defendants had files with the same hash value as known kiddy porn files. Now I know a hash collision is unlikely, but by its very nature it is possible. Since they did not download the file, how can they claim to have probable cause? That's kind of scary...

Hmmm....

hash collision is unlikely

claim to have probable cause

I wonder if there's a reason it's called "probable cause" instead of "absolutely proven cause", and why it legally has a different standard of (un)certainty than needed for conviction?